Enabling Email as an MFA method

Hi, I am looking for an answer about how to allow our users to select between OTP and email during the MFA challenge. I have been back and forth on this with Auth0 support, and have utilized AI tools as well. I am 99.999% sure that I have configured things correctly, but no matter what I do, email does not get recognized as a valid mfa method. My users are email_verified, and have an email address, and therefore are enrolled.

The kink in this setup is this, and it probably makes a difference:

We are acting as IDP in our application. A user goes to our app and logs in. if they are authenticated, we set a partially authenticated state and redirect the user to Auth0, with a SAML Assertion that authenticates them with Auth0. If their user does not exist in Auth0, they are created on the fly. An Action then challenges them for their MFA. If they are a new user, they get properly challenged for a OTP (and if SMS is enabled they get a link to try that instead). If they pass, they are redirected back to our app with a SAML Assertion that validates that they have passed the MFA, and we clear the state flag in our application and allow them in as fully authenticated.

My understanding is, that on subsequent MFA challenges, they should have the option of choosing email, but that link never appears. I can interrogate all sorts of things in the action indicating that the user has email_verified, and that email is a valid authentication method for them, but when it comes to actually exercising the email MFA, if the action allows it, they are deferred to OTP, and if the action does not allow it, they get an error:

Unknown multifactor provider undefined

I am pretty sure this is a question that can only be answered by a developer who knows the definitive conditions under which the alternate mfa link would be displayed. Please understand that I have configured everything multiple times with multiple permutations, with the direct guidance of Auith0 support, so unless there is some subtle setting I am missing, it is not necessary to paste the standard email mfa config or Action script here. However, if you have experience with this kind of setup, and/or a pertinent piece of information, I would really appreciate knowing it.

Thanks!

Hi @cbuxbaum

Welcome to the Auth0 Community!

Please allow me some time to research the matter and I will return with an update for you.

Best regards,
Gerald

Is your relaying party a custom built app of yours? Are you sending the MFA challenge type in the request?

Hi Jonathan,

I’m not utilizing the API. We are doing IDP initiated SAML, with our app acting as the IDP. Auth0 is the Service Provider, and because we have a signed SAML assertion, we are able to authenticate on the fly without an Auth0 login screen. However, we have set up to always challenge MFA, in a post-login Action, and that is where Auth0 should be throwing up the factor picker to let us choose between OTP and email, which it never does, and errors with “Unknown multifactor provider undefined” if we try to force an email challenge in the action.

Using

api.multifactor.enable(‘any’, { allowRememberBrowser: false });

works fine to challenge with otp or phone, but never gives us the opportunity to switch between factors.